A Security Operations Center Report Template for Executive Buy-in
Angela Gelnaw | August 27, 2019
A monthly or quarterly report is a great way to summarize a SOC’s performance and uncover insights for executive leadership. But as a security and risk manager or executive, what information should you request from the managers who report to you?
In this blog post, we’ll walk through a best-practice security operations center report template for summary reporting.
As an upper-level manager, you’re not in the trenches of the SOC on a daily basis. However, you have the crucial job of making decisions about cybersecurity and relaying information regarding cyber risk to your superiors, and you rely on SOC managers to provide you with that information.
There are often significant gaps between what the SOC knows and what it reports to leadership. According to EY, only 15% of organizations say their information security reporting fully meets their expectations, and only 17% report on areas for improvement.
The SOC is heavily dependent on executive buy-in. It’s vital for SOC leadership to communicate with you effectively so the most important (and most accessible) information can be passed up the chain of command, and meaningful changes can be made.
Security Operations Center Report Template
In addition to information that’s relevant to your organization’s specific concerns, an effective SOC report will contain the following sections:
Managers should summarize the most critical findings and action items from the report in non-technical language that executives and Board members can understand.
Key findings should also include at-a-glance insight into the organization’s security performance with clear metrics such as security ratings.
This information should be provided at the beginning of the report, where it’s most likely to be seen and read carefully.
In this summary, managers should lay out an overview of what was monitored for the report, including the number and locations of monitored servers, workstations, and devices.
Don’t neglect to request information about what wasn’t monitored — it’s important to identify gaps in the SOC’s field of view, so that strategies can be implemented to close those gaps.
Here managers should provide the total number of incidents detected and resolved, as well as more specific data, such as:
Breakdown of incidents by type, target, and severity
Mean time to detect (MTTD)
Mean time to resolve (MTTR)
Specific actions taken for each incident, such as log collection, quarantine, security patch installation, and password reset or other authentication system changes
This section should outline the most severe threats faced by your organization in the past month or quarter, specify whether or not your organization anticipated them, and detail how they were approached by the SOC.
Information about emerging malware trends and recommended actions to prepare for those threats will also be helpful.
The threat summary is also where cybersecurity concerns should be put into context. The SOC manager needs to present information about common cyber attacks, using real incidents as examples.
As part of the threat summary, ask managers to respond to the following questions:
What incidents have recently occurred in our industry?
What kind of threat(s) will pose the most risk to our organization in the coming month/quarter?
How does our organization compare to peers and competitors when it comes to mitigating risk?
This is a manager’s opportunity to advocate for the SOC, and request any additional resources that are necessary to improve performance. If the SOC manager provides concrete recommendations (and if possible, estimated costs), it will make your job easier as you make decisions and consult with your superiors about proposed changes.
These recommendations do not need to fall entirely within the SOC’s purview. Managers should consider how other departments can work together to promote a culture of cybersecurity awareness within the organization.
For example, a large percentage of malware enters organizations through phishing emails — a problem that requires employee training to correct. A SOC manager might recommend stricter enforcement of cybersecurity policies across all departments or cybersecurity workshops organized by learning and development in order to address this issue.
As they compose each section of the report, managers need to keep audience and purpose in mind so that upper-level managers, executives, and Board members can turn data into action. For maximum impact, reports should allow for both clarity and context.
The majority of executives and Board members will have limited technical understanding, so clarity is key.
An effective report will use language that non-technical individuals can understand, and make use of synthesized metrics like security ratings in order to deliver complicated information in an easily digestible format. Wherever possible, non-critical information should be in the appendix, so as not to clog the body of the report with excess data that would make it harder to understand.
It’s not effective to simply present data in a vacuum. In order to effectively communicate findings, context and analysis is required.
The report should compare KPIs with historical performance, the performance of peers and competitors, and progress toward stated objectives.
Managers should also aim to provide meaningful analysis — what does it mean to the business that these incidents occurred, or could occur in the future? Which incidents pose the biggest risk for revenue, customer trust, and legal costs?
When a report successfully illustrates the tangible impact of both actual and potential attacks, security leadership can make a more compelling case for allocating more resources to the SOC.
Closing the Knowledge Gap
Maintaining C-suite and Board buy-in can be challenging, and the quality of a report can make or break this vital line of communication. With an effective SOC summary report, you can improve decision making and communication up the chain — ultimately improving your organization’s overall cybersecurity.
Have more questions about cybersecurity reporting?
Download our Practical Guide to Risk-Based Cybersecurity Reporting
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...